On Tue, Sep 08, 2015 at 08:49:16PM +0200, Jiri Denemark wrote:
On Tue, Sep 08, 2015 at 19:07:09 +0200, Martin Kletzander wrote:Commit f1f68ca33433 tried fixing running multiple domains under various users, but if the user can't browse the directory, it's hard for the qemu running under that user to create the monitor socket. The permissions need to be fixed in two places due to support for both installations with and without driver modules. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1146886 Signed-off-by: Martin Kletzander <mkletzan@xxxxxxxxxx> --- This is not a problem for non-rpm installs because normal make install will not change the permissions, it will just create the directory, so it has 0755, but that difference is not something I'm trying to fix in this patch. libvirt.spec.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index bb8bfc3c25c1..48461e865dc8 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -2002,7 +2002,7 @@ exit 0 %config(noreplace) %{_sysconfdir}/logrotate.d/libvirtd.qemu %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ %ghost %dir %attr(0700, root, root) %{_localstatedir}/run/libvirt/qemu/ -%dir %attr(0750, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/ +%dir %attr(0751, %{qemu_user}, %{qemu_group}) %{_localstatedir}/lib/libvirt/qemu/Seems OK, but are we sure every file created in that directory uses 007 mask? Otherwise, we would be opening a hole here...
To be honest I haven't checked that. I'm relying on the fact that RPM-based installations are the only ones that get their permissions for others cut down, hence all normal installations would be broken already. Looking at the monitor socket for example, it might've been a problem, but it's pre-existing to this patch (again, for non-RPM-based installations). We could fix this by restricting the per-VM directories' permissions when creating them. There's also one more problem, that the default permissions are also 755 for channels, that should be fixed as well, it it really is a problem now. Although, if using SELinux, I think the problem is either not there or way less problematic. What's your view on that?
Jirka
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list